In today’s interconnected world, innovation takes data — which, until recently, consumers have been willing to share with brands they trust, in exchange for improved and personalized experiences. But the Facebook data breach highlights how directors and officers at any company - public or private - can be found liable for client data misuse.

As early as 2014, Cambridge Analytical, a British political consulting firm that uses data to predict voter interest, began collecting personally identifiable information from Facebook users to inform their voter profiling. Today, users and stockholders are thinking twice, and Facebook CEO Mark Zuckerberg is taking the heat, as all directors and officers do.

Unfortunately, though, Facebook and Zuckerberg aren’t unique. They’re just the latest chapter in the world’s data breach saga. In 2017, there were 1,579 known data breaches.1 According to the Ponemon Institute’s 2017 Cost of Data Breach Study, the average cost of a data breach in Canada is US$4.4 million – higher than the global average of US$3.9 million.2 Even more upsetting for victimized businesses is the almost 30% chance of having a reoccurring data breach over the next two years.

Although corporate data breaches can't be completely prevented, there are a few protocols that can minimize exposure for both the company and its decision-makers. They include:

Ask Yourself the Hard Questions. Although each company and its directors and officers will face different challenges when it comes to data breaches, there are a few questions executives should be asking themselves annually to identify exposures.

  1. What are the company's greatest data breach/cyber risks? What steps are being taken to anticipate, manage and mitigate them?
  2. Is each component of the risk management program documented and periodically tested and audited to ensure it meets the needs of our company's evolving exposures?
  3. What are the established protocols for reacting to a data breach/cyber risk when it occurs?
  4. What insurance coverage does the company maintain for a data breach/cyber risk and is this coverage adequate in scope?

Develop a Risk Management Program. This program will include procedures to identify, protect, detect, respond to and recover from data breaches. Examples include instituting security on employee mobile devices; developing an incident response plan with notification requirements and protocols on how to limit the damage; implementing interoffice access control and hiring qualified IT personnel to manage potential risks.

Communicate and Educate. Employees are the first line of defense when it comes to mitigating risk. Make sure your staff is educated on how they can protect themselves and the business from a data breach, including adhering to basic security practices and Internet use guidelines. Establish consequences for employees who fail to follow established security practices.

Be ready to respond. In the event of a data breach, maintain transparency with regulators, investors, provincial attorney general, consumer protection agencies and credit bureaus. Designate employees to interact with customers, the media, regulators and shareholders and make sure each has talking points and a point of contact for unanticipated inquiries.

Secure the Right Coverage. Separate, stand-alone directors and officers (D&O) and cyber liability policies will provide the most protection. Consulting with a third-party, independent broker like HUB will offer a number of preventive and post-breach services while helping directors and officers sift through the options.

Contact a HUB risk management consultant to learn more about how directors and officers can protect themselves and reduce the severity of cyber risks by instituting the proper prevention controls and carrying the right coverage.